Replace hardcoded Flask secret key with environment variable to prevent session hijacking and CSRF attacks. Changes: - Load secret key from TISBACKUP_SECRET_KEY environment variable - Fall back to cryptographically secure random key using secrets module - Log warning when random key is used (sessions won't persist) - Add environment variable example to README.md Docker Compose config - Add setup instructions in Configuration section Security improvements: - Eliminates hardcoded secret in source code - Uses secrets.token_hex(32) for cryptographically strong random generation - Sessions remain secure even without env var (though won't persist) - Prevents session hijacking and CSRF bypass attacks Documentation: - Update README.md with TISBACKUP_SECRET_KEY setup instructions - Include command to generate secure random key - Update SECURITY_IMPROVEMENTS.md with implementation details - Mark hardcoded secret key issue as resolved Setup: ```bash # Generate secure key python3 -c "import secrets; print(secrets.token_hex(32))" # Set in environment export TISBACKUP_SECRET_KEY=your-key-here ``` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
156 lines
3.8 KiB
Markdown
156 lines
3.8 KiB
Markdown
# TISBackup
|
|
|
|
This is the repository of the TISBackup project, licensed under GPLv3.
|
|
|
|
TISBackup is a python script to backup servers.
|
|
|
|
It runs at regular intervals to retrieve different data types on remote hosts
|
|
such as database dumps, files, virtual machine images and metadata.
|
|
|
|
## Install using Compose
|
|
|
|
Clone that repository and build the pod image using the provided `Dockerfile`
|
|
|
|
```bash
|
|
docker build . -t tisbackup:latest
|
|
```
|
|
|
|
In another folder, create subfolders as following
|
|
|
|
```bash
|
|
mkdir -p /var/tisbackup/{backup/log,config,ssh}/
|
|
```
|
|
|
|
Expected structure
|
|
```
|
|
/var/tisbackup/
|
|
└─backup/ <-- backup location
|
|
└─config/
|
|
├── tisbackup-config.ini <-- backups config
|
|
└── tisbackup_gui.ini <-- tisbackup config
|
|
└─ssh/
|
|
├── id_rsa <-- SSH Key
|
|
└── id_rsa.pub <-- SSH PubKey
|
|
compose.yaml
|
|
```
|
|
|
|
Adapt the compose.yml file to suits your needs, one pod act as the WebUI front end and the other as the crond scheduler
|
|
|
|
```yaml
|
|
services:
|
|
tisbackup_gui:
|
|
container_name: tisbackup_gui
|
|
image: "tisbackup:latest"
|
|
build: .
|
|
volumes:
|
|
- ./config/:/etc/tis/
|
|
- ./backup/:/backup/
|
|
- /etc/timezone:/etc/timezone:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
environment:
|
|
# SECURITY: Set a unique secret key for Flask session security
|
|
# Generate with: python3 -c "import secrets; print(secrets.token_hex(32))"
|
|
- TISBACKUP_SECRET_KEY=your-secret-key-here-change-me
|
|
restart: unless-stopped
|
|
ports:
|
|
- 9980:8080
|
|
|
|
tisbackup_cron:
|
|
container_name: tisbackup_cron
|
|
image: "tisbackup:latest"
|
|
build: .
|
|
volumes:
|
|
- ./config/:/etc/tis/
|
|
- ./ssh/:/config_ssh/
|
|
- ./backup/:/backup/
|
|
- /etc/timezone:/etc/timezone:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
restart: always
|
|
command: "/bin/bash /opt/tisbackup/cron.sh"
|
|
|
|
```
|
|
|
|
## Configuration
|
|
|
|
* Provide an SSH key and store it in `./ssh`
|
|
* Setup config files in the `./config` directory
|
|
* **SECURITY**: Generate and set a secure Flask secret key:
|
|
```bash
|
|
# Generate a secure random secret key
|
|
python3 -c "import secrets; print(secrets.token_hex(32))"
|
|
```
|
|
Then add it to your `compose.yml` as the `TISBACKUP_SECRET_KEY` environment variable
|
|
|
|
**tisbackup-config.ini**
|
|
|
|
```ini
|
|
[global]
|
|
backup_base_dir = /backup/
|
|
|
|
# backup retention in days
|
|
backup_retention_time=90
|
|
|
|
# for nagios check in hours
|
|
maximum_backup_age=30
|
|
|
|
[srvads-poudlard-samba]
|
|
type=rsync+ssh
|
|
server_name=srvads.poudlard.lan
|
|
remote_dir=/var/lib/samba/
|
|
compression=True
|
|
;exclude_list="/proc/**","/sys/**","/dev/**"
|
|
private_key=/config_ssh/id_rsa
|
|
ssh_port = 22
|
|
```
|
|
|
|
**tisbackup_gui.ini**
|
|
```ini
|
|
[general]
|
|
config_tisbackup= /etc/tis/tisbackup-config.ini
|
|
sections=
|
|
ADMIN_EMAIL=josebove@internet.fr
|
|
base_config_dir= /etc/tis/
|
|
backup_base_dir=/backup/
|
|
```
|
|
|
|
Run!
|
|
```bash
|
|
docker compose up -d
|
|
```
|
|
|
|
## NGINX reverse-proxy
|
|
|
|
Sample config file
|
|
|
|
```nginx
|
|
server {
|
|
listen 443 ssl http2;
|
|
# Remove '#' in the next line to enable IPv6
|
|
# listen [::]:443 ssl http2;
|
|
server_name tisbackup.poudlard.lan;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/tisbackup.poudlard.lan/fullchain.pem; # managed by Certbot
|
|
ssl_certificate_key /etc/letsencrypt/live/tisbackup.poudlard.lan/privkey.pem; # managed by Certbot
|
|
|
|
|
|
location / {
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header Host $host;
|
|
proxy_pass http://localhost:9980/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
}
|
|
```
|
|
|
|
|
|
|
|
## About
|
|
|
|
[Tranquil IT](contact_at_tranquil_it) is the original author of TISBackup.
|
|
|
|
The documentation is provided under the license CC-BY-SA and can be found
|
|
on [readthedoc](https://tisbackup.readthedocs.io/en/latest/index.html).
|